Skip to content
Threat Feed
high advisory

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

This brief details the use of the legitimate Windows utility `certutil.exe` by various threat actors to download malicious files from public file-sharing and code-hosting websites, facilitating further compromise and evasion on targeted systems.

Threat actors frequently abuse legitimate Windows binaries (Living Off the Land Binaries, or LOLBINs) to evade detection and perform malicious activities, a technique known as "living off the land." One such binary is certutil.exe, typically used for managing certificate services. However, attackers can leverage its built-in functionality, specifically the urlcache and verifyctl commands with the url option, to download arbitrary files from remote locations. This technique is observed in various campaigns, including those by Agent Tesla and Mint Sandstorm, allowing adversaries to download additional malware, tools, or configuration files directly to compromised systems. By using trusted system utilities and common file-sharing platforms like GitHub, Pastebin, and cloud storage services, attackers can blend malicious traffic with legitimate network activity, making detection more challenging for defenders. This specific detection focuses on certutil.exe processes initiating downloads from a broad list of known file-sharing and code-hosting domains.

Impact

The successful exploitation of this technique allows attackers to bypass traditional perimeter defenses and introduce arbitrary payloads onto a compromised system. This can lead to a wide range of detrimental impacts, including the installation of ransomware, data exfiltration tools, keyloggers, or backdoors, ultimately enabling persistent access and further network penetration. The use of LOLBINs like certutil.exe for ingress tool transfer enhances an adversary's ability to remain undetected, increasing the likelihood of successful secondary infections and significant organizational damage, such as financial losses due to ransomware, reputational damage from data breaches, or operational disruption.

Recommendation

  • Deploy the Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE Sigma rule to your SIEM and tune for your environment to detect certutil.exe abuse.
  • Enable comprehensive process_creation logging on all Windows endpoints (e.g., via Sysmon) to ensure visibility into certutil.exe executions and their command-line arguments.
  • Consider implementing network egress filtering or web proxy policies to block or monitor connections to known suspicious file-sharing domains listed in the iocs section, particularly for non-standard user agents or processes.
  • Implement application control policies (e.g., AppLocker, Windows Defender Application Control) to restrict the execution of certutil.exe or other LOLBINs to approved directories or contexts, limiting its abuse potential.

Detection coverage 1

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

high

Detects the execution of certutil with specific flags used to download files from common file-sharing or code-hosting websites, a technique often used for ingress tool transfer.

sigma tactics: command_and_control, defense_evasion techniques: T1027, T1105 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

35

domain

TypeValue
domain.githubusercontent.com
domain0x0.st
domainanonfiles.com
domainbashupload.com
domaincdn.discordapp.com
domainchunk.io
domainddns.net
domaindl.dropboxusercontent.com
domainghostbin.co
domaingithub.com
domainglitch.me
domaingofile.io
domainhastebin.com
domainmediafire.com
domainmega.nz
domainonrender.com
domainpages.dev
domainpaste.ee
domainpastebin.com
domainpastebin.pl
domainpastetext.net
domainprivatlab.com
domainprivatlab.net
domainsend.exploit.in
domainsendspace.com
domainstorage.googleapis.com
domainstorjshare.io
domainsupabase.co
domaintemp.sh
domaintransfer.sh
domaintrycloudflare.com
domainufile.io
domainw3spaces.com
domainworkers.dev
domainx0.at